What is Open SSL Heartbleed bug?
Open SSL is a widely used Open source encryption library that uses Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols and various cryptography libraries to provide a robust and secure server environment. OpenSSL enables SSL and TLS encryption, which governs HTTPS the secure communications between your computer and the servers on the Internet. It is used by about 2/3 of the web servers in the world.
OpenSSL vulnerability ("Heartbleed," CVE-2014-0160)
Common Vulnerabilities and Exposures system (CVE) the dictionary of standardized identifiers for common computer vulnerabilities and exposures identifies Heartbleed bug as CVE-2014-0160 (Ref : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 ). On April 7, 2014 this shocking bug was discovered in TLS heartbeat extension of OpenSSL by Neel Mehta of Google Security, which was too bad that enabled Cyber hackers to reach across the internet and silently steal passwords, crypto-keys, and other sensitive information from vulnerable systems. This vulnerability was the result of a programming error (or bug) in several versions of OpenSSL, ie, due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension
This tiny flaw in the most widely used encryption library allows any attackers to secretly access any vulnerable systems, from your bank's HTTPS server to your private VPN, to steal passwords, login cookies, private crypto-keys and many more.
At its worst, Heartbleed allowed potential access to a private key for an SSL certificate as well as the encrypted communication itself. This basically means that any individual with the knowledge and skills required to exploit this vulnerability, had a window to grab your user names, passwords and any private information you may have accessed with practically any of your online services that utilize the affected versions of the OpenSSL toolkit.
The Heartbleed bug which is a severe memory handling error allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. The bug lies in OpenSSL's implementation of the TLS heartbeat extension. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Affected users should upgrade to OpenSSL 1.0.1g. The process for patching this vulnerability includes updating OpenSSL, and restarting all services that are reliant on the OpenSSL libraries.
Users unable to immediately upgrade can alternatively recompile OpenSSL with:
-DOPENSSL_NO_HEARTBEATS.
How Heartbleed bug exploited by hacker?
 |
| source:wikipedia |
The heartbleed bug is exploited by sending a malformed heartbeat request with a small payload and large length field to the server in order to elicit the server's response permitting attackers to read up to 64 kilobytes of server memory that was likely to have been used previously by SSL. Where a Heartbeat Request might ask the server to "send back the four-letter word 'bird'", resulting in a server response of "bird", a malicious Heartbleed Request of "send back the 500-letter word 'hat'" would cause the server to return "hat" followed by whatever 497 characters the server happened to have in active memory. Attackers in this way could receive sensitive data, compromising the security of the server and its users...Wikipedia
Download patch for Heartbleed bug
Bug may impact versions of OpenSSL 1.0.1 on Linux Operating Systems to include: Debian, RHEL, Fedora, Ubuntu, and CentOS. Vulnerable servers must be patched with an updated version of openssl and any services using openssl libraries must be restarted.
A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. The patch was added by Adam Langley and Bodo Moeller.
Popular webservices has updated servers with Heartbleed patch.
Get Patch from here:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=731f431497f463f3a2a97236fe0187b11c44aead
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902
Online Vulnerability Test services
You may check whether your server is affected by Heartbleed bug by using any of the below given online services:
https://filippo.io/Heartbleed/
http://www.tripwire.com/securescan/?home-banner/
http://www.arbornetworks.com/asert/2014/04/heartbleed/
https://www.ssllabs.com/ssltest/
As a matter of security it is recommended that you change Passwords of your Email or any other online services that you are using.
For more details visit:
Read more about Heartbleed bug http://heartbleed.com/
Read from Wiki : http://en.wikipedia.org/wiki/Heartbleed
Visit Open SSL website: https://www.openssl.org/
SANS ISC: https://isc.sans.edu/forums/diary/OpenSSL+CVE-2014-0160+Fixed/17917
Linux distribution response
Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/
Fedora: https://lists.fedoraproject.org/pipermail/announce/2014-April/003205.html
RHEL: https://rhn.redhat.com/errata/RHSA-2014-0376.html
CentOS: http://www.spinics.net/lists/centos-announce/msg04910.html
Debian: https://security-tracker.debian.org/tracker/CVE-2014-0160
